Data Processing Agreement

This Data Processing Agreement ("DPA") supplements and forms part of the agreement between Adbustr and its partners (each a "Partner") where Adbustr processes personal data on behalf of the Partner. This DPA is drafted to satisfy Article 28 of the EU General Data Protection Regulation (GDPR).

1. Roles

• The Partner is the data controller
• Adbustr is the data processor for personal data processed on the Partner's instructions
• For our own analytics and platform-improvement processing, Adbustr acts as a controller

2. Scope and duration

Subject matter: programmatic ad exchange operations. Duration: the term of the underlying agreement plus statutory retention periods.

3. Subprocessors

Authorized subprocessors:

• Vercel (hosting / edge compute)
• Cloudflare (CDN / DDoS protection)
• Resend (transactional email)
• Plausible (privacy-preserving analytics)
• Pixalate (third-party IVT verification — when integrated)

We provide partners 30 days' notice before adding or replacing subprocessors. Partners may object on reasonable grounds.

4. International transfers

Transfers outside the EU/EEA are governed by Standard Contractual Clauses or, where applicable, the EU-US Data Privacy Framework.

5. Security measures

• Encryption in transit (TLS 1.2+)
• Encryption at rest for stored bid logs and PII
• Role-based access controls with least-privilege defaults
• Quarterly access review for production systems
• Incident response runbooks with 72-hour breach-notification commitment

6. Audit rights

Partners may request audit information or, with reasonable notice, conduct on-site audits no more than once per twelve months. SOC 2 Type II reports (when available) will satisfy most audit requests.

7. Termination

Upon termination, Adbustr will return or delete personal data in accordance with the Partner's instructions and applicable retention requirements.

8. Contact

DPA-related inquiries: dpo@adbustr.com.